OSVDB-95749 (activeresource): activeresource Gem for Ruby lib/active_resource/connection.rb request Function Multiple Variable Format String

activeresource Gem for Ruby lib/active_resource/connection.rb request Function Multiple Variable Format String

Published: August 15, 2008

SECURITY IDENTIFIERS

OSVDB: OSVDB-95749
Vendor Advisory: https://my.diffend.io/gems/activeresource/versions/2.1.0

GEM

activeresource

PATCHED VERSIONS

>= 2.2.0

DESCRIPTION

activeresource contains a format string flaw in the request function of lib/active_resource/connection.rb. The issue is triggered as format string specifiers (e.g. %s and %x) are not properly sanitized in user-supplied input when passed via the 'result.code' and 'result.message' variables. This may allow a remote attacker to cause a denial of service or potentially execute arbitrary code.

https://my.diffend.io/gems/activeresource/versions/2.1.0
https://security.snyk.io/vuln/SNYK-RUBY-ACTIVERESOURCE-20004
http://osvdb.org/show/osvdb/95749

RubySec

OSVDB-95749 (activeresource): activeresource Gem for Ruby lib/active_resource/connection.rb request Function Multiple Variable Format String

activeresource Gem for Ruby lib/active_resource/connection.rb request Function Multiple Variable Format String

SECURITY IDENTIFIERS

GEM

PATCHED VERSIONS

DESCRIPTION

RELATED

Recent Advisories